diff options
author | Karl Ramm <kcr@1ts.org> | 2010-08-22 00:56:14 +0000 |
---|---|---|
committer | Karl Ramm <kcr@1ts.org> | 2010-08-22 00:56:14 +0000 |
commit | 45a5927fc4d7e6cefdf6cbd46e186931ba4bf42b (patch) | |
tree | 6cfa9ff6a9fc36c0772e3cb3a5f0e46dd1eb4616 /server/realm.c | |
parent | b110bf96d4687ccc35c717dbc750bbb6fa420ee0 (diff) |
Don't crash if the header mysteriously gets too big. (Thanks to nelhage@mit.edu for noticing)
Diffstat (limited to 'server/realm.c')
-rw-r--r-- | server/realm.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/server/realm.c b/server/realm.c index 69c98eb..5de5d7e 100644 --- a/server/realm.c +++ b/server/realm.c @@ -1121,14 +1121,18 @@ realm_sendit_auth(ZNotice_t *notice, origoffset = 0; origlen = notice->z_message_len; - if (notice->z_multinotice && strcmp(notice->z_multinotice, "")) + if (notice->z_multinotice && strcmp(notice->z_multinotice, "")) { if (sscanf(notice->z_multinotice, "%d/%d", &origoffset, &origlen) != 2) { syslog(LOG_WARNING, "rlm_sendit_auth frag: parse failed"); return ZERR_BADFIELD; } + } + + fragsize = Z_MAXPKTLEN - hdrlen - Z_FRAGFUDGE; - fragsize = Z_MAXPKTLEN-hdrlen-Z_FRAGFUDGE; + if (fragsize < 0) + return ZERR_HEADERLEN; while (offset < notice->z_message_len || !notice->z_message_len) { (void) sprintf(multi, "%d/%d", offset+origoffset, origlen); |